Training Course 1-APPENDIX B

APPENDIX B

Pdf Summary

This appendix defines Oakleaf’s four-level data classification scheme and required handling controls to protect information based on sensitivity: <strong>Restricted, Confidential, Private, and Public</strong>. <strong>Private</strong> is the default classification for information created or received in the course of work unless it requires greater protection or is approved for public release. If data of different classes is combined in one system, the <strong>most restrictive</strong> classification applies. Restricted/Confidential/Private data must never be released publicly, but may be shared with third parties when there is a business need and appropriate controls are in place. Data may not be moved to a new format or medium lacking equivalent controls. Exceptions require <strong>CEO and CISO</strong> approval.

<strong>Restricted</strong> is the most sensitive (often driven by legal/contractual rules) such as client NPI/PII in loan files; loss would cause significant damage (regulatory, contractual, reputational, competitive, lawsuit risk). Controls include encryption for storage and transmission, no mobile or cloud storage, no IM/FTP (SFTP allowed), encrypted email only, strict printing/copying/fax prohibitions, certified mail requirements, secure disposal, labeling, and CEO/Managing Director approval plus NDA for third-party release.

<strong>Confidential</strong> (internally designated) includes employee PII/NPI, accounting, payroll, and financial data; loss causes moderate damage. Similar controls to Restricted, but secure cloud storage is allowed; encryption is recommended internally and required externally; printing/copying allowed with approvals; faxing prohibited.

<strong>Private</strong> is internal business information not for public release; loss generally causes minimal/no damage. Encryption is recommended (including mobile with remote wipe), external encryption recommended, IM/FTP prohibited, and basic printing/mail/disposal guidance.

<strong>Public</strong> information is freely shareable with no business impact if disclosed; minimal controls apply.

The document also defines <strong>NPI/PII</strong> (name plus identifiers such as SSN/TIN, passport, driver’s license, financial account numbers, or ePHI) and provides example data types mapped to classification levels, noting client engagement data may have client-specific requirements.

Keywords

data classification scheme

Restricted data handling

Confidential information controls

Private data default classification

Public information release

NPI PII definition

encryption requirements

third-party data sharing NDA

data movement equivalent controls

CEO CISO approval exceptions